Discussion: official SonarSource Docker image vs. this repo's image

[newtmitch]

SonarScanner has an official Docker image available, and has for a while. See here and here for details. Although I'm happy to keep my project alive, I'd love to hear from consumers and contributors of this repo about whether the official image is the Better Way™ or if what I've done here has some distinct and specific value that the official image doesn't.

• why do you use the image from this repo?
• why do you use the official sonar image instead?

Please leave responses to this issue with your thoughts on using either image.

[newtmitch]

I tried out the official Sonar Scanner image using the following commands, which align generally with the "try it out locally" commands I have in my README:

docker run -d --name sonarqube -p 9000:9000 -p 9092:9092 sonarqube

SONARQUBE_URL=sonarqube:9000 && \
docker run \
    --rm \
    --link sonarqube \
    -e SONAR_HOST_URL="http://${SONARQUBE_URL}" \
    -v "$PWD:/usr/src" \
    sonarsource/sonar-scanner-cli \
    sonar-scanner -Dsonar.projectKey=myproject

I ran that image on some local source (python/javascript) of my own followed immediately by the image from this repo on the same source code. Both produced identical results in that one test (not definitive, but "something").

A few things to note about the official source image that differs from the one in this repo:

• It uses alpine-3.11 as a base image, not openjdk, which means the dependencies are decoupled from the base image.
• It installs JDK 11 to cover more potential architecture differences - uses apk's architecture output as the basis by which to install, likely in order to provide more options for host compatibility.
• More secure installs of java and node (and possibly others) by making use of SHA hashes from downloaded archives.
• Installs python3, shellcheck, pylint, typescript@3, and some other deps that the image in this repo doesn't currently include.
• Smaller image by about 140MB (514MB -> 380MB).
• No timezone tomfoolery (I don't remember why I originally did this, but it seems hacky at best).

So I'm interested in the thoughts / feedback from the community about how best to proceed. If you're not using the official image, why not?

[serut]

I migrated easily, I just replaced the image name. I think your image is well ranked on google, that's it.

[sseide]

original image is missing curl and their busybox-wget is very basic regarding TLS and no HTTP auth support... therefore unusable.
curl/http auth needed to integrate sonarqube into build pipelines and wait for the full scan result (reference here https://stackoverflow.com/questions/44086452/how-to-integrate-sonar-quality-gates-with-gitlab-ci/56494794#56494794)